[Meta] Clarification on forum rules

@SteveJG edited out a link to a screenshot of some blocks in one of my posts saying

Links that automatically download files to a users computer are prohibited.

but I just read the FAQs and TOS and saw no rule saying that. The file was just a normal Discourse image upload, I just removed the ! to make it a link.
For example:

# Image upload
![Screenshot of an old webpage I saw saying "With gimmicks like this, is it any wonder that Word now consumes 120 *MegaBytes* of disk space?"](upload://pEWao1sPlMN05ewopYD0I9Jxv3E.png)

# Link to image
[Screenshot of an old webpage I saw saying "With gimmicks like this, is it any wonder that Word now consumes 120 *MegaBytes* of disk space?"](upload://pEWao1sPlMN05ewopYD0I9Jxv3E.png)

Which renders as:

Image upload

Link to image

Screenshot of an old webpage I saw saying "With gimmicks like this, is it any wonder that Word now consumes 120 MegaBytes of disk space?"

Besides, there's no way to automatically download a file to someone's computer, it should give a normal save file dialog. What gives? Is there a rule against linking to files served with content-disposition: attachment;?

(This was going to be a DM but @SteveJG has them off, though maybe it's better to have such discussion in the open anyway.)

Would you let me provide you with some links to virus files that once downloaded will do nasty things to your computer? I can do it via private message if you want.

There is a good reason for not allowing direct links on the community, it provides users with a "breathing space" before actually downloading something that may be malicious or they simply do not really want.

Along with this is providing direct links to images and pdfs instead of posting the content directly to the community in a post, which reduces time and prevents cluttering users computers with unnecessary files.

1 Like

If discourse didn't serve all user uploads with content-disposition: attachment; this wouldn't be an issue.

Yes, please.

That's reasonable but where does it say they aren't allowed?

Sorry to differ. The link you posted did just that on my PC. Clicked and your file auto downloaded. To post an image, just drag the image into this area. Thank you.

You don’t go into someone else’s house and complain about their rules.


I complain when I go somewhere and read the rules only to be told I'm breaking one I wasn't informed of.

Check your PMs

That is configurable behavior, all the browsers I use show confirmation before downloads and though there's probably a setting to turn it off I can't imagine why anyone would.

On my phone using Bromite (a Chromium fork):

On my computer using Firefox:

I don't use Chrom(e|ium) on my computer anymore but when I did I remember it used a normal save file dialog.

That is exactly what I did. However, I didn't want it to interrupt the flow of what I was saying so I removed the ! to make it a link.

That was an empty file.

So you downloaded it then. Are you absolutely SURE it was empty ?


Pretty sure.

Looong CLI logs
easrng@easrng-laptop:~$ file /home/easrng/Downloads/virus1.exe 
/home/easrng/Downloads/virus1.exe: empty
easrng@easrng-laptop:~$ xxd /home/easrng/Downloads/virus1.exe 
easrng@easrng-laptop:~$ ls -l /home/easrng/Downloads/virus1.exe 
-rw-r--r-- 1 easrng easrng 0 Jun 28 15:05 /home/easrng/Downloads/virus1.exe

# I switched to my phone
$ curl -v https://cyberama.co.uk/virus1.exe
*   Trying
* Connected to cyberama.co.uk ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /data/data/com.termux/files/usr/etc/tls/cert.pem
  CApath: /data/data/com.termux/files/usr/etc/tls/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=cyberama.co.uk
*  start date: Jun 27 10:25:38 2021 GMT
*  expire date: Sep 25 10:25:37 2021 GMT
*  subjectAltName: host "cyberama.co.uk" matched cert's "cyberama.co.uk"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET /virus1.exe HTTP/1.1
> Host: cyberama.co.uk
> User-Agent: curl/7.72.0
> Accept: */*
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 28 Jun 2021 19:34:46 GMT
< Server: Apache
< Last-Modified: Mon, 28 Jun 2021 19:03:43 GMT
< ETag: "0-5c5d825efa571"
< Accept-Ranges: bytes
< Content-Length: 0
< Content-Type: application/x-msdos-program
* Connection #0 to host cyberama.co.uk left intact

It sounds like the primary issue here is simply making sure that the policy is clear.

This could be mentioned under the "Keep It Tidy" header.